To do this, it's important to understand that to authenticate to Kerberos,
one of two things has to happen:
1. A human has to enter in a secret at some point.
2. A secret has to be stored somewhere on a computer.
You can play some funny games with either of these two things, but it
basically boils down to #1 or #2.
Now, to truly run kadmin unattended, you need to store the secret key of a
privileged user somewhere on the computer that will run kadmin. That means
that if the system is ever compromised, the attacker could gain access to
this secret key and use it to do nasty things to your Kerberos database. You
need to decide if you want to open yourself up to this risk.
That being said .... here's how you do it.
1. Create the admin principal you wish to use.
2. Put the key for the admin principal somewhere on your machine.
3. Use kinit to acquire a Kerberos ticket for the principal from the
keytab, and run kadmin with the -q to perform whatever tasks you wish.
Here's an example of a shell script that does this.
#!/bin/sh
#
PATH=$PATH:/path/to/kerberos; export PATH
KRB5CCNAME=/tmp/krb5cc_root_$$; export KRB5CCNAME
trap kdestroy 0 1 2 3 5 15
kinit -S kadmin/admin -k -t /path/to/keytab admin_principal
kadmin -c $KRB5CCNAME -q "delprinc foo"
exit 0

User Contributions:

Comment about this article, ask questions, or add new information about this topic: